The FDIC’s newly approved amendments to 12 CFR Part 363 will significantly reshape internal control and audit requirements for financial institutions as key asset thresholds rise on January 1, 2026.
On November 25, 2025, the Federal Deposit Insurance Corporation (FDIC) approved amendments to 12 CFR Part 363, which implements Section 112 of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA). Effective January 1, 2026, the asset-size threshold for internal control and audit requirements will increase from $1 billion to $5 billion. This change revises key regulatory thresholds that govern audit and reporting obligations for financial institutions.
Under the new rules, if an insured depository institution does not meet the updated thresholds on January 1, 2026, it will not need to comply with the Part 363 requirements in place on December 31, 2025.
What Are the Final FDICIA Rule Updates?
- Independent External Financial Statement Audit: Financial institutions with assets exceeding $1 billion are required to complete this process. Previously, the threshold applied to institutions with assets greater than $500 million.
- Independent External Testing of FDICIA Controls: Financial institutions with assets exceeding $5 billion are required to complete this process. Previously, the threshold applied to institutions with assets greater than $1 billion.
- Management Attestation of Effectiveness of FDICIA Controls: Financial institutions with assets exceeding $1 billion are required to complete this process. Previously, the threshold applied to institutions with assets greater than $500 million.
The updates outlined above were implemented to ease the compliance burdens associated with FDICIA testing. These changes are intended to benefit small and mid-sized financial institutions, as reporting requirements can be costly and burdensome for community banks, and small rural banks often face challenges meeting audit committee composition requirements.
How Should Institutions Act?
Based on the new thresholds, management can focus more on what is most important when reviewing the scope of internal controls. However, institutions with over $1 billion in current or projected assets must still attest to the effectiveness of internal controls under the new rule. While there is greater flexibility associated with internally managing the timing and scope of controls, maintaining strong internal controls remains essential to ensure the safety and soundness of each financial institution.
The Importance of Continued Internal Control Testing
- Risk Is Present Regardless Of Size: Internal control testing serves as a critical safeguard for financial institutions, helping to identify potential fraud, errors, and operational deficiencies. Institutions with asset sizes between $1 billion and $5 billion are required to formally attest to the effectiveness of their internal controls. This attestation must be supported by a reasonable basis, which is established through ongoing internal monitoring, documentation, and evaluation of control processes.
- Governance Expectations Remain: Regulatory agencies such as the FDIC, OCC, and Federal Reserve continue to emphasize the importance of strong governance and sound risk management practices. Deficiencies in internal controls can result in supervisory findings, enforcement actions, and significant reputational harm. Stakeholders, including shareholders, customers, and counterparties, depend on accurate and reliable financial reporting to maintain confidence in the institution. Ongoing testing and monitoring of controls demonstrates organizational discipline, reinforces transparency, and signals a commitment to regulatory compliance and stakeholder trust
- Preparation For Continued Growth: As financial institutions expand, the continued execution of control testing and the implementation of strong governance frameworks are essential to ensuring sustainable success. Effective internal controls not only mitigate costly errors but enhance audit readiness and streamline operational processes. Investments in robust internal controls and governance structures should be regarded not as sunk costs, but as strategic assets, strengthening institutional resilience, reinforcing regulatory confidence, and enabling long-term agility in an evolving financial landscape.
How Can Schneider Down Help?
While regulatory relief might reduce the burden of mandatory internal control testing, our role is to ensure your organization continues to operate with discipline, transparency, and resilience. At Schneider Downs, we deliver strategic advisory solutions that enable institutions to evaluate their internal control frameworks, optimize compliance practices, and align governance structures with sustainable long-term growth.
For more information, contact our risk advisory team at [email protected].
About Schneider Downs Risk Advisory
Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.